Malicious PDF — malware analysis report

Static analysis result for SHA-256 11f11a241a43de59…

MALICIOUS

PDF

43.0 KB Created: 2020-07-18 05:05:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f793b1cc1049c6ade069c60ce18cf037 SHA-1: 89a792be77b8b48ff268eadcc42c117c8d436b61 SHA-256: 11f11a241a43de59ebb24f1d4a2475b86e5d45c56af578e2b769baa02164a805
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains a large number of embedded links, characteristic of an SEO link farm, designed to redirect users to potentially malicious websites. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK specifically flags a URL pointing to known malicious redirector infrastructure. The ML classifier also strongly indicated maliciousness. The document body appears to be obfuscated or corrupted, preventing a clear understanding of its specific lure, but the link farm and redirector activity are strong indicators of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=the%20jungle%20book%20oxford%20bookworms%20level%202%20pdf
    • http://files.adentabrasil.com/uploads/1/3/1/4/131453365/cf0265b722f.pdf
    • http://files.jacquelinesdancestudio.com/uploads/1/3/1/4/131437147/63a2476c842.pdf
    • http://files.mr-stevens.com/uploads/1/3/0/7/130776864/zoxakaso.pdf
    • http://files.bellasapothecary.com/uploads/1/3/0/8/130814226/motem.pdf
    • http://files.fabledcollective.com/uploads/1/3/1/6/131606348/49c5d5c7377ec09.pdf
    • http://files.craftyjoe.com/uploads/1/3/2/7/132741181/80e89806a5104ae.pdf
    • http://files.carnegiepresby.org/uploads/1/3/2/3/132303382/xufogotibujiroj.pdf
    • http://files.cckidsfamilies.com/uploads/1/3/0/7/130775605/8214001.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://pabajosut.files.wordpress.com/2020/07/38737461099.pdf
    • https://vewibubod.files.wordpress.com/2020/06/jezakuzu.pdf
    • https://virebon.files.wordpress.com/2020/06/xarijomudazu.pdf
    • https://purekekimol.files.wordpress.com/2020/06/18261710560.pdf
    • https://cdn.shopify.com/s/files/1/0428/8462/8633/files/5457012243.pdf
    • https://cdn.shopify.com/s/files/1/0431/2806/2109/files/72576004333.pdf
    • https://cdn.shopify.com/s/files/1/0432/2649/7182/files/buvirikatemarovawu.pdf
    • https://cdn.shopify.com/s/files/1/0430/8929/7568/files/59451900106.pdf
    • https://cdn.shopify.com/s/files/1/0428/0716/5095/files/93096767827.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zupapinited.pdf
    • https://cdn.shopify.com/s/files/1/0431/6138/7170/files/gaxutubuzi.pdf
    • https://cdn.shopify.com/s/files/1/0427/6148/6503/files/65438906839.pdf
    • https://cdn.shopify.com/s/files/1/0431/8085/1362/files/dakezimetatolugabijeguru.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006780.bin
ffe1bf5fdf0ca77ce8ab04751b0e8cc713be52948994da36fab138793bc04a5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6780 5580 bytes
font_01_sfnt_off00007a61.bin
e5526d3980ca0e46b102b61f9de9da1ab47b9e4e97e670c30d6a02e3401a272b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A61 10944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.